In the not-so-distant past, national banks proclaimed their power and security with giant pillars at their entrances, marble counters and thick glass separating bank tellers from bank patrons, and two-foot-thick vault doors that stood open during the day to show they were impenetrable. That physical setting made clients feel safe and secure and built loyalty.
Bank executives clearly understood their external threats, recognizing their reputations were on the line and could be significantly, if not irreparably, damaged with a single break in.
Yesterday's pillars and vaults have been replaced with today's smart networks and vigilant security applications -- and stacks of gold or bills have been replaced with intellectual property, trade secrets, and customer and financial data.
But the constant remains: companies are still possibly only one breach away from significant, if not irreparable harm. Companies are often required to report breaches because of regulatory agencies -- and the consequences can be devastating in terms of lost revenue, damaged reputations, and additional legal and financial repercussions.
Vulnerable to Attack at Any Time
An understanding of information technology security isn't taught in most MBA programs. Yet, C-Level Executives must be prepared to understand conceptual threats that are much more complicated than a 'vault break in.'
Physical security is a concept most executives can get their hands around -- but exposures stemming from Advanced Persistent Threats (APTs) or even social engineering require continuing awareness training and retraining. These gaps in knowledge and awareness often instantiate themselves as weaknesses in strategy and operations that leave organizations vulnerable to attack.
Cyber security is now a C-Level concern, for three important reasons.
First, organizations now rely more than ever on the Internet and the cloud for their daily operations. Their ever-growing digital footprints leave customer financial data, trade secrets, intellectual property, and sensitive communications potentially open to hactivists or cyber thieves to be exploited.
Second, organizations now must address the risks presented by the Bring-Your-Own-Device (BYOD) trend, especially important thanks to both a rise in mobile threats and the likelihood of a mobile phone or tablet being lost or stolen.
Lastly, compliance remains a critical information security driver, especially for companies in regulated industries like healthcare, or those with contractual obligations like PCI-DSS.
Corporate security policy needs to be a top-down philosophy, with a C-Level focus centering on protecting IP and customer data, maintaining systems availability, and delivering a positive security reputation. It is only when executives understand their exposure (what can be stolen) and the threats (how it can be stolen), that they can address real solutions. That takes awareness training.
What they learn can help their company immeasurably. They will be able to identify true risks to their company by making an assessment of the probability and impact of real situations that can arise to pose a security threat.
With a grasp of the relative risks, they'll know much more about which events are likely to happen and will hurt the most. Then, they can pay attention to them and act accordingly.
Security Essential to Company Survival
Security policies are the essential foundation of corporate threat protection -- however, policy only says what to do, not how to do it.
C-level executives should be able to provide informed leadership in developing policy. It starts with an overarching policy statement along the lines of "security is essential to the success and survival of our company."
That comes from the very top and gives the next level down the authority to create functional policies such as access control, privacy, acceptable use, and change control, along with the necessary funding to implement them.
Functional policies are supported by standards (we do, we use, etc.) and procedures (step by step to accomplish a task), along with the necessary training and education needed for both technical and non-technical staff.
Marble pillars and thick vaults are no longer good enough. Ultimately, a company's security plan should become a competitive advantage. When consumers and business partners see enhanced security that isn't cumbersome to them, they'll appreciate the extra safety and have confidence in doing business with the company.
Author Christopher Porter is CEO for Training Camp, a leading provider of information technology and security training courses that has trained nearly 100,000 certification candidates worldwide.
Read more on: Network Security
, Data Breach
, Enterprise Security
, Intrusion Detection
, CIO Issues
, Technology News